Skip to content

Merge pull request #338 from intersective/fix/remove-sandbox-secrets #120

Merge pull request #338 from intersective/fix/remove-sandbox-secrets

Merge pull request #338 from intersective/fix/remove-sandbox-secrets #120

Workflow file for this run

################################################
# GITHUB ACTION WORKFLOW NAME
################################################
name: Deploy to p1-stage environment
################################################
# GITHUB ACTION EVENT TRIGGER
################################################
on:
workflow_dispatch:
push:
branches: [ 'trunk' ]
################################################
# GITHUB ACTION JOBS
################################################
jobs:
deploy-p1-stage:
name: deploy-p1-stage
runs-on: ubuntu-latest
environment: p1-stage
timeout-minutes: 15
################################################
# GITHUB ACTIONS GLOBAL ENV VARIABLES
################################################
env:
REGION : ap-southeast-2
ENV : test # Valid values are dev,test,live only
STACK_NAME: p1-stage # Valid values are au,us,uk,p2,lf,nu,p1-sandbox,p1-stage,p2-sandbox,shared only
ROOTSTACK: cutie-app
CFNS3BucketName: devops-cfn-templates
PRIVATES3BucketName: devops-shared-private
PUBLICZONENAME: p1-stage.practera.com
BUILD_CONFIG: custom
STATUSREPORTS3Bucket: deployment-status.practera.com
STATUS: DEPLOYED
REQUESTOR: ${{ github.event.inputs.REQUESTOR }}
REASON: ${{ github.event.inputs.REASON }}
ENDPOINT: cutie-app.p1-stage.practera.com
BRANCH_TAG_NAME: trunk
################################################
# GITHUB REPO CHECKOUT
################################################
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
################################################
# NODE ENV
################################################
- name: Setup Node.js environment
uses: actions/setup-node@v2
with:
node-version: '14'
################################################
# NODE MODULES CACHE
################################################
- name: Cache node modules
uses: actions/cache@v2
id: cache-node-modules
env:
cache-name: cache
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: |
~/.npm
node_modules
*/*/node_modules
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
################################################
# NODE MODULES INSTALL
################################################
- name: Install dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
run: npm install
################################################
# AWS CLI CONFIGURATION - DEVOPS
################################################
- name: Configure AWS credentials from $STACK_NAME account in $REGION region
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.DEVOPS_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.DEVOPS_AWS_SECRET_ACCESS_KEY }}
aws-region: ap-southeast-2
##########################################################
# AWS DEPLOY SECRET - MASK CONSOLE DISPLAY
##########################################################
- name: AWS Deploy Secret
id: DeploySecret
run: |
echo "Enable SLACK NOTIFY"
SLACK_WEBHOOK_URL=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-DEPLOY-$ENV| jq --raw-output '.SecretString' | jq -r .SLACK_WEBHOOK_URL)
echo "::add-mask::$SLACK_WEBHOOK_URL"
echo "::set-output name=SLACK_WEBHOOK_URL::$SLACK_WEBHOOK_URL"
echo "Enable P1 Stage ACCOUNT CLI Login"
P1_STAGE_AWS_ACCESS_KEY_ID=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-DEPLOY-$ENV| jq --raw-output '.SecretString' | jq -r .P1_STAGE_AWS_ACCESS_KEY_ID)
P1_STAGE_AWS_SECRET_ACCESS_KEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-DEPLOY-$ENV| jq --raw-output '.SecretString' | jq -r .P1_STAGE_AWS_SECRET_ACCESS_KEY)
echo "::add-mask::$P1_STAGE_AWS_ACCESS_KEY_ID"
echo "::add-mask::$P1_STAGE_AWS_SECRET_ACCESS_KEY"
echo "::set-output name=P1_STAGE_AWS_ACCESS_KEY_ID::$P1_STAGE_AWS_ACCESS_KEY_ID"
echo "::set-output name=P1_STAGE_AWS_SECRET_ACCESS_KEY::$P1_STAGE_AWS_SECRET_ACCESS_KEY"
env: #TODO: Update once manually to new stack accordingly
STACK_NAME: shared # Valid values are au,us,uk,p2,lf,nu,p1-sandbox,p1-stage,p2-sandbox,shared only
ENV: live # Valid values are sandbox,stage,live only
##########################################################
# AWS P1 STAGE ACCOUNT STEPS BELOW
##########################################################
- name: Configure AWS credentials from $STACK_NAME account in $REGION region
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ steps.DeploySecret.outputs.P1_STAGE_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ steps.DeploySecret.outputs.P1_STAGE_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{env.REGION}}
env:
AWS_ACCESS_KEY_ID: ${{ steps.DeploySecret.outputs.P1_STAGE_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ steps.DeploySecret.outputs.P1_STAGE_AWS_SECRET_ACCESS_KEY }}
##########################################################
# AWS S3 SYNC - SERVERLESS TEMPLATES
##########################################################
- name: AWS S3 Sync operation
run: |
aws s3 cp serverless.yml s3://$CFNS3BucketName/$STACK_NAME/$REGION/$ROOTSTACK/sls-templates/serverless.yml
##########################################################
# CLOUDFORMATION EXPORT VARIABLES
##########################################################
- name: Cloudformation Export variables
run: |
cat >> .env <<EOF
CDNSharedACMCertificateArn=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CDNSharedACMCertificateArn-$ENV\`].Value" --no-paginate --output text)
ChatBotSNSTopicARN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-ChatBotSNSTopicARN-$ENV\`].Value" --no-paginate --output text)
EOF
###############################################################
# SERVERLESS DEPLOYMENT
##############################################################
- name: Serverless deployment
run: |
echo "Serverless Deploying"
node_modules/.bin/serverless deploy
rm serverless.yml
env:
CUTIES3BUCKET: cutie-app.${{ env.PUBLICZONENAME }}
S3VERSIONING: true
NONCURRENTVERSION_EXPIREINDAYS: 30
# DEFAULT_EXPIREINDAYS: 0 # Mandatory to disable
###############################################################
# ANGULAR ENVIRONMENT CREATION
##############################################################
- name: Angular Environment creation
run: |
printf "Creating required secret variables for angular environment variable creation\n\n"
export CUSTOM_APPKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-AppKeySecret-$ENV| jq --raw-output '.SecretString' | jq -r .appkey)
export CUSTOM_FILESTACK_SIGNATURE=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .signature)
export CUSTOM_FILESTACK_VIRUS_DETECTION=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .virusdetection)
export CUSTOM_FILESTACK_KEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .apikey)
export CUSTOM_FILESTACK_POLICY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .policy)
export CUSTOM_PUSHER_APPID=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .app_id)
export CUSTOM_PUSHERKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .key)
export CUSTOM_PUSHER_SECRET=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .secret)
export CUSTOM_PUSHER_CLUSTER=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .cluster)
printf "Angular environment variable creation complete\n\n"
printf "Executing env.sh script\n\n"
chmod +x env.sh && ./env.sh
env:
CUSTOM_APPENV: ${{ env.ENV }}
CUSTOM_AWS_REGION_CHINA: ap-northeast-2 #TODO CHECK
CUSTOM_S3_BUCKET_CHINA: practera-seoul-1 #TODO CHECK
CUSTOM_CHATGEAPHQLENDPOINT: https://chat-api.${{ env.PUBLICZONENAME }}/
CUSTOM_PATH_IMAGE: /cutie/image/uploads/
CUSTOM_AWS_REGION: ${{ env.REGION }}
CUSTOM_PATH_ANY: /cutie/any/uploads/
CUSTOM_S3_BUCKET: files.${{ env.PUBLICZONENAME }}
CUSTOM_APIENDPOINT: https://cutie-api.${{ env.PUBLICZONENAME }}/
CUSTOM_APIENDPOINTOLD: https://admin.${{ env.PUBLICZONENAME }}/
CUSTOM_PRACTERCORE: https://admin.${{ env.PUBLICZONENAME }}/
CUSTOM_PATH_VIDEO: /cutie/video/uploads/
CUSTOM_GEAPHQLENDPOINT: https://core-graphql-api.${{ env.PUBLICZONENAME }}/
###############################################################
# BUILD WEB PACKAGES
##############################################################
- name: Build Web Packages
run: |
printf '' > src/environments/environment.ts
node_modules/.bin/ng build --configuration=${{ env.BUILD_CONFIG }}
##########################################################
# AWS S3 SYNC OPERATIONS
##########################################################
- name: AWS S3 Sync Operations
run: |
CUTIEAPPS3=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CUTIES3BUCKET-$ENV\`].Value" --no-paginate --output text)
aws s3 sync www/ s3://$CUTIEAPPS3 --delete
##########################################################
# AWS CDN CACHE INVALIDATION
##########################################################
- name: AWS Cloudfront Cache invalidation
run: |
CUTIEAPPCDN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CutieCloudFrontDistributionID-$ENV\`].Value" --no-paginate --output text)
for i in $CUTIEAPPCDN;do aws cloudfront create-invalidation --distribution-id $i --paths "/*";done
##########################################################
# SLACK NOTIFICATION
##########################################################
- name: Slack Notification
if: always() # Pick up events even if the job fails or is canceled.
uses: 8398a7/action-slack@v3
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
MATRIX_CONTEXT: ${{ toJson(matrix) }} # required
with:
status: ${{ job.status }}
author_name: ${{ env.BRANCH_TAG_NAME }} - ${{ env.ROOTSTACK }} deployed to ${{ env.ENV }} environemnt in ${{ env.STACK_NAME }} AWS account
mention: 'here'
if_mention: failure,cancelled
job_name: deploy-p1-stage # Match the name above.
fields: repo,commit,eventName,ref,workflow,message,author,job,took
custom_payload: |
{
username: 'GitHub Action CI WorkFlow',
icon_emoji: ':github:',
attachments: [{
color: '${{ job.status }}' === 'success' ? 'good' : ${{ job.status }}' === 'failure' ? 'danger' : 'warning',
text:
`${process.env.AS_REPO}\n
${process.env.AS_COMMIT}\n
${process.env.AS_EVENT_NAME}\n
@${process.env.AS_REF}\n
@${process.env.AS_WORKFLOW}\n
${process.env.AS_MESSAGE}\n
${process.env.AS_AUTHOR}\n
${process.env.AS_JOB}\n
${process.env.AS_TOOK}`,
}]
}
# ################################################
# # STATUS VARIABLE UPDATE
# ################################################
- name: Deployment status variable update
if: ${{ failure() }}
run: |
echo "STATUS=FAILURE" >> $GITHUB_ENV
# ################################################
# # DEVOPS-DEPLOYMENT REPORT
# ################################################
- name: DevOps Deployment Reporting
if: always()
run: |
pip install --upgrade pip
pip install --upgrade csvtotable
export REASON=$(git log -2 --format=%s | sed -n 2p)
export REQUESTOR=${{ github.actor }}
aws s3 cp s3://$STATUSREPORTS3Bucket/deploy-reporting.sh deploy-reporting.sh
chmod +x deploy-reporting.sh && ./deploy-reporting.sh